Thursday, July 8, 2021

My responses to questions re: my recent webinar on cybersecurity:

1.  The System Administrator is a key weak link?  How can we address that?  

Ans:  The Sys Ad can make changes to the program to adapt to user needs; this can be abused.  It needs checks and balances.  All changes should be documented by the Sys Ad; evaluated as to need for V&V, with rationale; that documentation / log(?) / lab book(?) should be reviewed and signed off / approved by an independent party (QC/QA?). The  Sys Ad should be a reliable CGMP / QA/RA-inclined IT individual;

2. We're moving more of our applications and storage to the cloud.  What should we be focusing on to reduce risk?  

Ans:  Focus on the cloud provider; do they understand and agree to the need for CGMP / change control, understand the need for their clients to validate the cloud programs and are willing to give advance notice of anticipated changes well in advance of such changes to allow the client to perform any necessary regression testing, V&V; 

3.  It seems that phishing attacks are growing.  How can we compensate for the weak point - our people? 

Ans: Weak point is people. Follow the NIST guidelines discussed to train personnel on how to scan e-mails, pop-ups, websites, et al, as to authenticity (of URL, site ...) vs. spoofing, check the URLs (look for purposely misspelled URLs), avoid the unsolicited content and go back to the actual source from their own addresses / URL, rather than clicking the furnished link;  Train with unsolicited / unannounced company IT-initiated phishing "attacks" periodically (with personnel informed that such "tests" are part of the job; but not told when or what means to be used).

4.  Where in the software V&V should we best add cyber tests?  

Ans:  The OQ, since the primary goal is to prove the requirement has been met, does what it should do, and doesn't do what it shouldn't;  if there is allowable "worst case" input variability in the company's implementation of that requirement, due to platforms, shifts, types of records, etc., then also expand that OQ test case into a PQ test cases with several PQs, each with many samples (with rationale for sample number selected included in the protocol).

-- John E. Lincoln

   jel@jelincoln.com

No comments:

Post a Comment